Corporate users warned Intel AMT flaw has 'destructive' potential

Intel technology has been thrown in the spotlight again after security researchers found a potentially ‘destructive’ vulnerability in its AMT solution, commonly deployed in corporate devices.

Australian cybersecurity watchdog Stay Smart Online issued an alert yesterday that details a new flaw in Intel’s Active Management Technology, also known as AMT.

The vulnerability allows attackers who gain physical access to a device to bypass BIOS and Bitlocker passwords. The attacker could then gain remote access to the compromised machine.

AMT is software that provides IT teams maintenance and remote access monitoring in order to control device fleets.

The vulnerability was discovered by security firm F-Secure. The company says that anyone who gains physical access to a machine could create a backdoor in less than 30 seconds.

According to F-Secure security consultant Harry Sintonen, the backdoor is simple to exploit and wields destructive potential.

“In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

F-Secure explains that an attacker just need to reboot or turn on the machine and press CTRL-P during the boot up process.

“The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops.”

“The attacker then may change the default password, enable remote access and set AMT’s user opt-in to 'None.' The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.”

Stay Smart Online says that if users do not need AMT, they should disable it in their device’s BIOS immediately.
“If you do need it, change the default ‘admin’ password to something that is hard to guess.”

F-Secure adds that organisations should analyse all deployed devices and configure the AMT password. If the password is unknown, the device may be compromised.

“We also recommend corporate laptops are never left out of a user's sight, especially in public places such as airports.”

Sintonen further explains how a potential attack could work:

“You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.”

Earlier this month vulnerabilities dubbed ‘Meltdown’ and ‘Spectre’ put AMD, ARM and Intel processors in digital devices including computers, mobile phones, TVs, tablets and routers at risk. The vulnerabilities are not related to the AMT vulnerability.

CERT NZ warned that all devices must be updated to mitigate the vulnerabilities and protect against attacks, which could steal personal information and passwords.